Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
1
Replies

IPS module setup on 5500-X series ASA

Colin Higgins
Level 2
Level 2

‎05-17-2013 10:30 AM - edited ‎03-11-2019 06:45 PM

Since the 5500X series firewalls use a software IPS SSM that is set up differently from the old ones, I am a little confused on the initial setup.

Looking at this document

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

we see a proposed setup for L3 management of the IPS

------

interface GigabitEthernet0/0
 nameif outside security-level 0
 ip address 203.0.113.1 255.255.0.0
!!interface GigabitEthernet0/1
 nameif inside security-level 0
 ip address 198.51.100.1 255.255.255.0
!!interface Management0/0
 no nameif security-level 0
 management-only
!!same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network IPS-management
 host 198.51.100.2
object network ASA-inside
 host 198.51.100.1
object network ASA-outside
 host 203.0.113.1
object-group service HTTP
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
access-list global_access extended permit ip any any
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group HTTP object IPS-management
   any
 
nat (inside,outside) source dynamic IPS-management IPS-management interface
 
nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

----

So my question is:

Where does the IPS module get the 192.51.100.2 address? Is this assigned during the initial setup of the module?
(I didn't see anything about IP assignment in 
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_asa_ips.pdf)

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2013 12:53 PM

When you run the "setup" command from the CLI, one of the menu choices will be to assign the IPS Management address.

You can also do this from the ASA by using the Device setup wizard in the Configuration window. Just tell it to modify your existing configuration and click through the first several screens that pertain to the parent ASA until you get to the last couple that are IPS-specific.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card